Coordinated Vulnerability Disclosure

Responsible disclosure policy for security researchers

Last updated: January 15, 2025

Introduction

AmiSyn B.V. (including its divisions Amisec, Amiphished, and AmiCloud) values the security community and believes that responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our users.

If you believe you have found a security vulnerability in any of our systems, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem.

Scope

In Scope

*.amisyn.com and all subdomains
*.amisec.nl and all subdomains
*.amiphished.nl and all subdomains
*.amicloud.nl and all subdomains
Mobile applications published by AmiSyn B.V.
API endpoints used by our services

Rules of Engagement

Please Do

Report vulnerabilities as soon as possible
Use test accounts or your own accounts for testing
Respect user privacy and do not access, modify, or delete user data
Only interact with your own accounts or test accounts
Use the minimum necessary amount of interaction to demonstrate the vulnerability
Keep vulnerability details confidential until we've had a chance to address them

Please Do Not

Perform Denial of Service (DoS/DDoS) attacks
Conduct social engineering attacks (phishing, vishing, smishing) against our employees or customers
Access, modify, or delete data belonging to others
Execute destructive attacks (data destruction, ransomware, etc.)
Conduct physical attacks against our facilities or personnel
Publicly disclose the vulnerability before we've addressed it
Violate any laws or breach any agreements

How to Report a Vulnerability

Contact Information

Email us at: security@amisyn.com

For encrypted communications, please use our PGP key (available upon request)

Include in Your Report

Vulnerability Type:What type of issue is it? (e.g., XSS, SQLi, CSRF, etc.)
Affected Systems:URLs, endpoints, or systems affected
Steps to Reproduce:Detailed steps to reproduce the vulnerability
Impact:Potential impact if exploited
Proof of Concept:Screenshots, videos, or code snippets
Your Contact Info:So we can follow up with you

Step 1

Discover

Identify a potential security vulnerability in our systems

Step 2

Report

Email security@amisyn.com with detailed information

Step 3

Triage

We assess and acknowledge within 5 business days

Step 4

Resolution

We fix the issue and notify you of the resolution

Our Commitment

Response Time

We will acknowledge receipt of your vulnerability report within 5 business days and provide an estimated timeline for addressing the vulnerability.

Communication

We will keep you informed about our progress. If you have followed the guidelines above, we will not take legal action against you regarding the report.

Recognition

With your permission, we will publicly acknowledge your responsible disclosure once the vulnerability has been fixed. We may also recognize researchers who have made significant contributions to our security.

Safe Harbor

AmiSyn B.V. considers security research conducted consistent with this policy to constitute "authorized" conduct under the Computer Fraud and Abuse Act and other applicable laws. We will not pursue civil or criminal action against you if you:

Follow this responsible disclosure policy
Report vulnerabilities in good faith
Do not access, modify, or delete data beyond what is necessary to demonstrate the vulnerability
Keep the vulnerability confidential until it has been addressed

Note: This safe harbor only applies to research conducted on systems owned and operated by AmiSyn B.V. If your research involves third-party systems, you must obtain permission from those parties.

Out of Scope Vulnerabilities

The following issues are generally considered out of scope:

Clickjacking on pages with no sensitive actions
Unauthenticated/logout Cross-Site Request Forgery (CSRF)
Missing security headers that do not directly lead to a vulnerability
Missing best practices (e.g., missing DNSSEC, CAA records)
Vulnerabilities in third-party services beyond our control
Social engineering attacks
Physical attacks against our facilities
Reports from automated tools without validation

Security.txt

We maintain a machine-readable security.txt file at the following locations:

https://amisyn.com/.well-known/security.txt

https://amisec.nl/.well-known/security.txt

https://amiphished.nl/.well-known/security.txt

https://amicloud.nl/.well-known/security.txt

Contact

For security-related inquiries or to report a vulnerability:

Email: security@amisyn.com

Company: AmiSyn B.V.

Address: [Complete Address], Utrecht, Netherlands

Please do not use this email for general support inquiries. For support, visit our main website.

Back to all legal documents